Links in phishing-like emails lead to tech support scam

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents. Every month, Windows Defender AV detects non-PE threats on over 10 million machines.

Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites.

Anti-spam filters in Microsoft Exchange Online Protection (EOP) for Office 365 and in Outlook.com blocked the said emails because they bore characteristics of phishing emails. The said spam emails use social engineering techniques—spoofing brands, pretending to be legitimate communications, disguising malicious URLs—employed by phishers to get recipients to click suspicious links.

However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary “technical support services” that supposedly fix contrived device, platform, or software problems.

The use of email as an infection vector adds another facet to tech support scams, which are very widespread. Every month, at least three million users of various platforms and software encounter tech support scams. However, tech support scams are not typical email threats:

Many of these scams start with malicious ads found in dubious web pages—mostly download locations for fake installers and pirated media—that automatically redirect visitors to tech support scam sites where potential victims are tricked into calling hotlines.

Some tech support scams are carried out with the help of malware like Hicurdismos, which displays a fake BSOD screen, or Monitnev, which monitors event logs and displays fake error notifications every time an application crashes.

Still other tech support scams use cold calls. Scammers call potential victims and pretend to be from a software company. The scammers then ask victims to install applications that give them remote access to the victim’s devices. Using remote access, the experienced scam telemarketers can misrepresent normal system output as signs of problems. The scammers then offer fake solutions and ask for payment in the form of a one-time fee or subscription to a purported support service.

The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam. While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.

An alternative infection path for tech support scams

The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text.

Figure 1. Sample fake Alibaba order cancellation email. The order number is a suspicious link.

Figure 2. A sample of a fake Amazon order cancellation email. Similarly, the order number is a suspicious link.

Fig 3. Sample fake LinkedIn email of a message notification. The three hyperlinks in the email all lead to the same suspicious link.

The links in the emails point to websites that serve as redirectors. In the samples we analyzed, the links pointed to the following sites, which are most likely compromised:

Interestingly, the redirector websites contain code that diverts some visitors to pharmaceutical or dating websites.

Fig 4. Redirects to pharmacy sites

In most cases, however, the redirector websites eventually lead to typical support scam pages.

Fig 5. Redirects to support scam site

Landing on typical support scam websites

Tech support scams sites often mimic legitimate sites. They display pop-up messages with fake warnings and customer service hotline numbers. As part of the scam, calls to these phone numbers are answered by agents who trick users into paying for fake technical support.

Fig 6. Tech support scam site with fake warning and support number

The technical support scam websites employ various social engineering techniques to compel users to call the provided hotlines. They warn about malware infection, license expiration, and system problems. Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem.

Tech support scam websites are also known to use pop-up or dialog loops. A dialog loop refers to malicious code embedded in sites that causes the browser to present an infinite series of browser alerts containing falsified threatening messages. When the user dismisses an alert, the malicious code invokes another one, ad infinitum, essentially locking the browser session.

Windows 10 protects against tech support scams, no matter the vector

Tech support scams continue to expand and evolve. They are becoming multi-faceted and are arriving via several infection vectors. A multi-layered defense is necessary.

Windows 10 has a comprehensive protection stack that defends against multi-faceted threats. New and updated features in Creators Update provide even more protection for devices against the latest and advanced threats. Upgrade to Windows 10, if you haven’t already, and keep your computers up-to-date.

Use Microsoft Edge when browsing the Internet. It uses Windows Defender SmartScreen (also used by Internet Explorer), which blocks tech support scam websites and other malicious websites, as well as malicious downloads.

Microsoft Edge also helps stop pop-up or dialog loops that are often spawned by tech support scam websites. It does this by allowing you to stop web pages from creating any more messages when the first one is dismissed:

Figure 8. Dialog loop protection in Microsoft Edge

When a website serves a dialog loop, you can also try to close the browser window. Alternatively, you can open Task Manager (by pressing CTRL+SHIFT+ESC), select the browser under Apps, and click End task. In future updates, Microsoft Edge will let you close the browser or specific tabs even when there is a pop-up or dialog message.

To report a tech support scam site using Microsoft Edge, select More […] while you are on the site. Select Send feedback > Report unsafe site, and then use the web page that opens to report the website. In Internet Explorer, select the gear icon and then select to Safety > Report unsafe website.

Windows Defender Antivirus detects and blocks tech support scam malware and other threats. It leverages protection from the cloud, helping ensure you are protected from the latest threats.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Tech support scams employ various social engineering techniques to get potential victims to call fake support hotlines. Do not call hotline numbers displayed in pop-up messages. Error and warning messages from Microsoft do not contain support numbers.

Some scammers might contact you directly and claim to be from Microsoft. Microsoft will not proactively reach out to you offering unsolicited technical support. To reach our technical support staff, visit the Microsoft Answer Desk.